Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1256
Views
5
Helpful
4
Replies

Most secure way to allow IOT devices that require WPA?

aeccles
Level 1
Level 1

‎07-12-2021 08:37 AM

Our org just acquired 2 sets of IOT devices that wouldn't connect to our existing SSIDs. 

 

The first SSID "Employee" has the following settings:

Layer 2 Security: WPA + WPA2

WAP2 Policy

WPA2 Encryption - AES

PSK

FT PSK

 

The second SSID "Guest" is open with no security.  It is segmented and routed out a different internet connection.  There is no access between this network and the rest of my network.

 

There are 3 other SSIDs but those have specific network/routing scenarios and cannot be used.

 

After playing around with settings, I found that the devices will connect to an SSID when I enable WPA Policy &  WPA Encryption - AES.  And after talking to the manufacturer, found that the IOT devices cannot connect to SSIDs that do not have passwords.  So, this explains why they won't connect the these two SSIDs.  Unfortunately, I need them to connect

 

The IOT devices need to be accessible to/from my enterprise network - basically, devices connecting to my "Employee" SSID need to be able to interact with them.  Creating another SSID would be simple, but I want to be mindful of security issues AND I am also trying to limit the number of SSIDs I have since I'm already at 5.  So.... the question is, what is the best way to allow an SSID with only WPA and WPA Encryption, and allow those devices access to/from devices on my Employee SSID (which has a great deal of network access)? 

 

Thank you

 

0 Helpful
4 Replies 4

JPavonM
VIP
VIP

‎07-12-2021 09:11 AM

Create separate SSIDs and whatever configuration mode you are using (local or flexconnect) map Employees and IoT SSID to the same VLAN.

HTH

-Jesus

0 Helpful

aeccles
Level 1
Level 1
In response to JPavonM

‎07-12-2021 09:34 AM

Wouldn't that effectively be the same as adding WPA support to my existing Employee SSID?

0 Helpful

cmarva
Level 4
Level 4
In response to aeccles

‎07-12-2021 10:44 AM

from an IP address perspective, yes. From a wlan perspective, no. You would be able to keep the one-off settings for IoT separate from your employee wlan. You could implement any other security type measures on the IoT wlan (mac filtering, acls, etc) without worry about hosing your employees

0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame

‎07-12-2021 03:25 PM

@aeccles wrote:

So.... the question is, what is the best way to allow an SSID with only WPA and WPA Encryption, and allow those devices access to/from devices on my Employee SSID (which has a great deal of network access)? 

That is one very dangerous IoT (Internet of Trash) client.  I would keep that away from any network devices as possible.  If it "has to" be in, then firewall it in it's own little subnet with one way out.  

Ransomware crew can easily find this device chatting to the internet and can, without any difficulties, use it as an ingress point.  

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card